Data Protection: COVID-19

Introduction

The HSE is collecting data, including personal data relating to patients and service users and health care workers before people are tested for COVID 19. We are collecting this data on our IT systems as part of our response to Covid-19.

Our aim is to be clear and transparent about the personal data which is collected and how this data is used by the HSE.

In the following paragraphs we set out information in relation to the following:

  • The Data Controller.
  • The Data Protection Officer (DPO).
  • What Personal Data we collect.
  • What we use your Personal Data for.
  • How long will we hold onto your Personal Data.
  • Who will have access to your Personal Data.
  • International data transfers.
  • Your Rights.
  • Complaints.

The Data Controller

The Health Service Executive (HSE) is the Data Controller for all personal data which is collected by the IT system. A Data Controller is the legal entity which determines how and why personal data is collected and used.

The HSE’s headquarters is located at Dr Steevens’ Hospital, Steevens’ Lane, Dublin 8, Ireland

The HSE operates within the provisions of the General Data Protection Regulation and Data Protection Acts.       

The Data Protection Officer (DPO)

The HSE has appointed a Data Protection Officer to oversee the HSE’s compliance with its data protection obligations. The HSE Data Protection Officer (DPO) can be contacted directly at dpo@hse.ie

What Personal Data we Collect

Personal data means any information about you which allows the HSE to identify you. It includes your name & address, contact phone numbers and email address.

The data collected about patients and the people who use our services and Health Care Workers may include personal data, such as their name, address, email address, phone number data of birth, gender as well as the results of tests undertaken to detect COVID-19.

Our IT system may receive and record data about you during the Covid-19 care pathway in some of the following ways:

  • When you contact the HSE Covid-19 Helpline at 1800 700 700;
  • Through a referral for a COVID-19 test by your GP, Public Health Doctor or Occupational Health Professional;
  • When you present for a COVID-19 test;
  • When you attend a COVID-19 Clinical Assessment Hub;
  • When you are admitted to an Acute Hospital with suspected or confirmed COVID-19;
  • In the event that you are admitted to a Critical Care Unit in an Acute Hospital with suspected or confirmed COVID-19;
  • When you are admitted to a COVID-19 Intermediate Care Facility.
  • Under limited circumstances, personal data originally provided to the HSE and other state agencies may be used by the HSE in conjunction with state agencies solely to verify the identity and contact details of individuals who have attended for COVID-19 testing and/or have registered for the COVID vaccination programme

What we use your Personal Data for

The data collected about you on the CCT solution will be used for the following purposes:

  • To arrange your swab test for Covid-19
  • To invite you to the test centre
  • To share information with the laboratory which will analyse your swab test  
  • To record results of tests for COVID-19
  • To contact you with the results
  • To contact you and your identified close personal contacts with regard to providing clinical advice and guidance in the event of a positive COVID-19 test result (contact tracing);
  • To inform your employer with the results if you are working in a healthcare setting or other high risk employment setting. By high risk we mean a decision has to be taken quickly by public health doctors in order to protect the health of others. 
  • To assist in the surveillance of the COVID-19 disease in our population to closely manage the Health Services’ response. For example this may include the issuing of text messages with follow-up health related advice.You would be able to opt out of receiving these text messages.
  • Maintain appropriate healthcare records of interactions for contact tracing purposes
  • Help us to manage resources relating to Covid19.

How long will we hold onto your Personal Data

The HSE will only retain your personal data for as long as it is necessary to fulfil the purposes it is being processed for. All personal data collected by the HSE is retained in accordance with the HSE Record Retention Policy or as legally required. The HSE Record Retention Policy is published here 

When the HSE no longer needs your personal data, they will securely delete or destroy your personal data.

Who will have access to your Personal Data

Your personal data stored on our IT systems will only be made available to and shared with others on a strict “need to know” basis and in compliance with the Data Protection Acts. For example:

  • The HSE staff and volunteers who are involved in COVID-19 testing, result notification and tracing of close contacts of persons testing positive for COVID-19;
  • HSE staff and the staff of funded HSE agencies under the Health Acts 1947-2019 who require access to your record in order to provide and manage health and social care services to you;
  • The Person in Charge of a nursing home or other health care facility in relation to the results of a COVID-19 test of their patient or resident;
  • The employer of a Health Care Worker in relation to their individual COVID-19 test results;
  • Staff of HSE and of external companies with whom we have the appropriate contracts in place, in relation to developing and maintaining the Covid Tracker system when required for technical reasons.
  • Statutory public health agencies in other countries where this is required for contact tracing purposes

Will my personal data be transferred outside of the European Economic Area (EEA)

The HSE does not intend to transfer any personal data stored on our IT systems outside the EEA. If the HSE decides to transfer any personal data outside the EEA they shall ensure the provisions of Chapter V of the General Data Protection Regulation (GDPR) are complied with.

What are your Rights

Under certain circumstances, by law you have the right to

  • Right of access – you have the right to request a copy of the information that we hold about you.
  • Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
  • Right to be forgotten – in certain circumstances, you can ask for the data we hold about you to be erased from our records, this does not usually apply to health care records and is not an absolute right.
  • Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
  • Right of portability – where certain conditions apply, you have the right to have the data you have provided to us in a structured, commonly used and machine-readable format,  transferred to another organisation.
  • Right to object – you have the right to object to certain types of processing such as direct marketing, however, please be assured that we will not be using your data for direct marketing.
  • Right to object – including profiling – which produces legal effects concerning you or similarly significantly affects you.  However please note that our IT systems will not be making decisions based on automated processing.
  • Right to review – in the event that the HSE’s refuses your request under rights of access, we will provide you with a reason as to why. You have the right to complain as outlined below.

If you wish to exercise any of these rights, then please submit a request, to HSE Consumer Affairs 

When submitting a request, the HSE may need information from you to confirm your identity.

Once your identity has been confirmed, the HSE will supply you with your information free of charge, however, we may charge a reasonable fee if believe your request is clearly unfounded, excessive or repetitive.

Making a complaint

In the event that you wish to make a complaint about how your personal data is being processed by the HSE, or how your complaint has been handled, you have the right to lodge a complaint directly with the Data Protection Commission and the HSE Data Protection Officer:

Data Protection Commission

The HSE Data Protection Officer (DPO) can be contacted directly at:

DPO@hse.ie

The Security of your Personal Data

The HSE has legal obligations under the EU General Data Protection Regulations (GDPR) and the Data Protections Acts 1988 – 2018 to ensure all personal data which it collects and processes is kept confidential and secure.

To comply with these legal obligations the HSE have implemented a number of technical and organisational measures to protect the Covid Tracker System against unauthorised or unlawful processing, accidental loss, destruction or damage of your personal data.

Secondary Processing of your Personal Data

The HSE will not use any data collected by the CCT solution for any other purposes, without first anonymising or pseudononymising the data, to remove or replace all personal details from the data or contacting individuals to obtain their consent.

Changes to this Privacy Notice

This Privacy Notice may change from time to time and any changes to the Notice will be communicated by way of a notice on our website.